There are no shortcuts to fighting human-directed ransomware, according to Microsoft’s latest Digital Defence Report.
“Combating and preventing attacks of this nature requires a shift in an organization’s mindset to focus on the comprehensive protection required to slow and stop attackers before they can move from the pre-ransomware phase to the ransomware deployment phase,” says the report, which was issued today.
“Enterprises must apply security best practices consistently and aggressively to their networks, with the goal of mitigating classes of attacks. Due to human decision-making, these ransomware attacks can generate multiple, seemingly disparate security product alerts which can easily get lost or not responded to in time.
“Alert fatigue is real, and security operations centers (SOCs) can make their lives easier by
looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules.
“Hardening against common threats can not only reduce alert volume, but also stop many attackers before they get access to networks.”
The report urges CISOs and infosec leaders to
- build credential hygiene. More so than malware, attackers need credentials to
succeed in their operations. The successful human-operated ransomware infection of
an entire organization relies on access to a highly privileged account like a Domain
Administrator, or the ability to edit a Group Policy;
- audit credential exposure;
- prioritize the deployment of Active Directory updates;
- prioritize cloud hardening;
- reduce the attack surface;
- harden internet-facing assets and understand your perimeter;
- reduce SOC alert fatigue by hardening your network to reduce volume and preserve
bandwidth for high-priority incidents.
Ninety-eight per cent of cyber attacks can be thwarted by basic hygiene, the report stresses, including the adoption of multifactor authentication, a zero-trust security architecture, patching critical applications fast, and protecting data.
The 114-page report notes that while Russia drove headlines with its hybrid online and physical war against Ukraine, Iranian actors escalated their attacks following a transition
of presidential power, launching destructive attacks targeting Israel, and ransomware and
hack-and-leak operations targeting critical infrastructure in the United States. China also
increased its espionage efforts in Southeast Asia and elsewhere in the global south, the report says, seeking to counter U.S. influence and steal critical data and information.
Meanwhile, cybercriminals are becoming more frugal. The proof: To lower their overhead and boost the appearance of legitimacy, the report says, attackers are compromising business networks and devices to host phishing campaigns, malware, or even use their computing power to mine cryptocurrency.
In addition, the report notes that threat actors are increasingly targeting Internet of Things (IoT) devices or Operational Technology (OT) control devices as entry points to networks and critical infrastructure.
One important conclusion in the report: Cybersecurity hygiene is more important than ever because threat actors are rapidly exploiting unpatched vulnerabilities, are using both sophisticated and brute force techniques to steal credentials, and are obfuscating their
operations by using open-source or legitimate software.
The report is filled with nuggets of information gleaned from Microsoft products and its security response teams.
For example, the top three contributing factors in ransomware attacks that Microsoft was called in for this year were: insufficient controls preventing access to privileged accounts and/or stopping lateral movement in 96 per cent of incidents; limited adoption of modern security frameworks (87 per cent of incidents); and insecure configurations of the identity provider (86 per cent).
Eighty-eight per cent of impacted ransomware customers did not employ Active Directory
and Azure AD security best practices. “This has become a common attack vector as attackers exploit misconfigurations and weaker security postures in critical identity systems to gain broader access and impact to businesses,” the report notes.
Similarly, in 88 per cent of ransomware incidents, multifactor authentication was not implemented for sensitive and high privileged accounts.
None of the impacted organizations implemented proper administrative credential
segregation and least privilege access principles via dedicated workstations during the
management of their critical identity and high-value assets, such as proprietary systems and business-critical applications, the report adds.
Sixty-eight per cent of organizations impacted by ransomware did not have an effective vulnerability and patch management process. A high dependence on manual processes for patching led to critical openings, the report says. Manufacturing and critical infrastructure continue to struggle with maintenance and patching of legacy operational technology (OT) systems, it adds.
As other cybersecurity companies have reported, Microsoft, too, has seen a drop this year in Canada and the U.S. in ransomware reports. One possibility, this report says, is that in the face of more active law enforcement activity, groups are looking to other countries to attack. Tension between Russia and the United States over Russia’s invasion of Ukraine appears to have put an end to Russia’s nascent co-operation in the global fight against ransomware, Microsoft adds.
Separately, the report notes a rise in targeted attacks that specifically avoid password-based authentication to reduce the chance of detection. These attacks leverage browser single sign-on (SSO) cookies or refresh tokens obtained via malware, phishing, and other methods, the report says. In some cases, attackers choose infrastructure in locations near the geographic location of the targeted user to further reduce the chances of detection.
“We have seen a steady rise in token replay attacks, reaching over 40,000 detections per month in Azure AD Identity Protection. Token replay is the use of tokens that were issued to a legitimate user by an attacker that has possession of said tokens. Tokens are commonly obtained via malware, for example by exfiltrating the cookies from the user’s browser or through advanced phishing methods.”